Configuring Kerberos Authentication on IIS Website

Start IIS Manager on your Web server, select the necessary website and go to the Authentication section. As you can see, only Anonymous Authentication is enabled by default. Disable it and enable Windows Authentication (First of all IIS always tries to perform anonymous authentication).

Open the list of providers, available for Windows authentication (Providers). By default, two providers are available: Negotiate and NTLM. Negotiate is a container that uses Kerberos as the first authentication method, and if the authentication fails, NTLM is used. It is required that Negotiate comes first in the list of providers.

The next step includes the registration of Service Principal Name (SPN) entries for the name of the website, which will be accessed by the users. If the IIS website has to be available only by the name of the server, on which it is located (http://server-name or http://server-name.adatum.loc), you don’t need to create additional SPN entries (SPN entries already exist in the server account in AD). If the website address differs from the host name or if you are building a webfarm with load balancing, you will have to connect additional SPN entries to a server or user account.

Suppose, we have a farm of IIS servers. In this case, it’s better to create a separate AD account and bind SPN entries to it. The target Application Pool of our website will be started from this account.

Create a domain account iis_service. Make sure that SPN entries are not assigned for this object (servicePrincipalName attribute is empty).

Suppose, that the website has to respond at http://webportal and http://webportal.adatum.loc. We have to specify these addresses in the SPN attribute of the service account.

Thus we allow IIS to use the domain account to decrypt Kerberos tickets from the clients.

Reset IIS using this command:

iisreset

The same has to be configured on all web farm servers.

Let’s test Kerberos authentication. To do it, open http://webportal.adatum.loc in the client’s browser.

Note. In my case, I couldn’t authenticate at once in IE11. I had to add the address to the list of trusted websites and specify Automatic logon with current user name and password in User Authentication -> Logon in Trusted Zones Sites settings.

You can make sure that Kerberos authentication is used on your website by means of monitoring HTTP traffic using Fiddler (we mentioned this tool earlier).

Start Fiddler and open the target website in the browser. In the left part of the window, find the line of website access. Go to the Inspectors tab in the right part of the window. The line “Authorization Header (Negotiate) appears to contain a Kerberos ticket” shows that Kerberos has been used to authenticate on the IIS website.

1 comment

David ChiversOctober 16, 2017 - 11:14 pm

Thanks for sharing this, it saved me a bunch of time.

Just one comment on IE zones. I add sites that use my Windows credentials to the Local Intranet zone only, where the automatic logon setting is already applied by default. Sites in the Trusted zone are only trusted for their content – I don’t trust them with my Windows credentials.